From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp1 ([2001:41d0:2:bcc0::]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) by ms0.migadu.com with LMTPS id sJYFO9fyZ2DsggAAgWs5BA (envelope-from ) for ; Sat, 03 Apr 2021 06:45:11 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:bcc0::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp1 with LMTPS id CFfQNNfyZ2DxHAAAbx9fmQ (envelope-from ) for ; Sat, 03 Apr 2021 04:45:11 +0000 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 4725C1194C for ; Sat, 3 Apr 2021 06:45:11 +0200 (CEST) Received: from localhost ([::1]:43488 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1lSY9l-0004Ew-VT for larch@yhetil.org; Sat, 03 Apr 2021 00:45:10 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:33120) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1lSY9e-0004Eb-Gk for bug-guix@gnu.org; Sat, 03 Apr 2021 00:45:02 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:49783) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1lSY9e-0005us-9I for bug-guix@gnu.org; Sat, 03 Apr 2021 00:45:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1lSY9e-0006Py-5w for bug-guix@gnu.org; Sat, 03 Apr 2021 00:45:02 -0400 Subject: bug#33253: nss cannot build Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-To: bug-guix@gnu.org Resent-Date: Sat, 03 Apr 2021 04:45:01 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: cc-closed 33253 X-GNU-PR-Package: guix X-GNU-PR-Keywords: To: =?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?= Mail-Followup-To: 33253@debbugs.gnu.org, maxim.cournoyer@gmail.com, walidslack@gmail.com Received: via spool by 33253-done@debbugs.gnu.org id=D33253.161742506924608 (code D ref 33253); Sat, 03 Apr 2021 04:45:01 +0000 Received: (at 33253-done) by debbugs.gnu.org; 3 Apr 2021 04:44:29 +0000 Received: from localhost ([127.0.0.1]:33094 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSY97-0006Op-JG for submit@debbugs.gnu.org; Sat, 03 Apr 2021 00:44:29 -0400 Received: from mail-qk1-f180.google.com ([209.85.222.180]:33309) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1lSY95-0006Od-Ri for 33253-done@debbugs.gnu.org; Sat, 03 Apr 2021 00:44:28 -0400 Received: by mail-qk1-f180.google.com with SMTP id o5so7008049qkb.0 for <33253-done@debbugs.gnu.org>; Fri, 02 Apr 2021 21:44:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:references:date:in-reply-to:message-id :user-agent:mime-version:content-transfer-encoding; bh=8phYrpyZI6MsxxyVgYMq9dTbGxAw+6/XWWYdYbl74nQ=; b=tCnMV0uW31Hm/nD96FI283IFI3nubB9D3lslXEd7ZTeQS3kjDFIzDoswRijJzJnq1r 3acVraH21PLmuhxEflJHj78L5Yigt3x+OH2Xr6mGiYwiqT2qUuqgh/8VA2Mpq2lwGyWf zx5jFhl787vQ6kldbWftONOWAKl/FJgyz+j4a9c/bRx0me8EsELGOQtR1ivz0XEuANyR xzVz+piiXETEoSF5Xcyo/cquCwv6Apu5hk9ryFo8XUBwZIWUZts00jrvewpfY9e6kRS9 GrgLEcrh1WodV7dMdAFyKVg0g95Mqhp3E4fzy4hySxJU4Pp2cmlXQ9fDD526sSLqaBVW 9IFg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to :message-id:user-agent:mime-version:content-transfer-encoding; bh=8phYrpyZI6MsxxyVgYMq9dTbGxAw+6/XWWYdYbl74nQ=; b=h8B+10oxnkM2QavxU1Q2EKLbfZd4flUzciMDVzrc/zGbguPyrb0it2HnXiTyDoJ5DU +gJTrbxnjtJwPy5+4sYfzW2W4hZue2PKKi1jt/x1zuATRFDCYZGrnpVp7aIm6iTFItgE S7EFFLpuWd8SZjLGoYMdBEBM4nn5gKRtn0XmFFEXt0wTbClEKaJko/GPKyJ1s2JSGVeb eWHU70c5wYwWS/toUDO1WQrfOgIlRMlYmlyDmPG0BHDMJSmv/gP6HEhDvOT5rQfEMVIg 1DxXQYNB8ithIADUw4xfmKaJeTu2zAL15Ajd6xZrBuRd3ohQLjiYHGN/PaluB0Ie3ATO 9Srw== X-Gm-Message-State: AOAM532xZgFuVEIEEwm+bRXewuXnDi6UF7uePBmW8sLeS63vldlFvodJ S091rqOaIa391oEBtcS7f21uefeekrl8Jg== X-Google-Smtp-Source: ABdhPJzTcyND/NoF0Y+KGK6Nz6KbFpzEtXgrPhn3ebigdtf1ExH9a815UXS5KPDlAB4ejBtJoT0wCA== X-Received: by 2002:a37:b807:: with SMTP id i7mr15855397qkf.126.1617425062277; Fri, 02 Apr 2021 21:44:22 -0700 (PDT) Received: from hurd (dsl-10-133-254.b2b2c.ca. [72.10.133.254]) by smtp.gmail.com with ESMTPSA id 207sm6988589qkl.125.2021.04.02.21.44.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 02 Apr 2021 21:44:21 -0700 (PDT) From: Maxim Cournoyer References: <20181104173014.0a56d2dd@alma-ubu> Date: Sat, 03 Apr 2021 00:44:11 -0400 In-Reply-To: <20181104173014.0a56d2dd@alma-ubu> ("=?UTF-8?Q?Bj=C3=B6rn_?= =?UTF-8?Q?H=C3=B6fling?="'s message of "Sun, 4 Nov 2018 17:30:14 +0100") Message-ID: <87eefsq8o4.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.2 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: bug-guix@gnu.org List-Id: Bug reports for GNU Guix List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: 33253-done@debbugs.gnu.org, Gnu =?UTF-8?Q?R=C3=B6oty?= Errors-To: bug-guix-bounces+larch=yhetil.org@gnu.org Sender: "bug-Guix" X-Migadu-Flow: FLOW_IN ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1617425111; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-to: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=8phYrpyZI6MsxxyVgYMq9dTbGxAw+6/XWWYdYbl74nQ=; b=tFGcN0yXjY79Dw4HpHJd+6zN5GOGoXeFDT+uCLTGrRGMqlhrvcDSwt+zcBLex/crClfdBU x8nG0iZajPvsOPtoeGL+PVybp55JXUJFlUp6ffkgAhjzQe6u0zcoAT6t2iUn8RgdoU4+9w 7/Vz3srABv+5jm3GTlTnCyZUYiec5bDHdjE+r4oFEASLnA2lQhg1WoaNSN7DrrO9CBaDhT aK2cwpgIs28iSGAU3rE+lwx4SOyOhGH4+gZAFqnynAzBbnqYFeigWqVr5iH+Np/Y7RBfk2 houPkwtKEJzqLA7yIp9IV43r+MQAWYOcDlUY8m7QGUCn4OmCJTq2j2/tMSQiEg== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1617425111; a=rsa-sha256; cv=none; b=QOxRT5iaR6B5haDbgKyp8anJnwtuXLubhTZG8YACpSLGsHmBoNbdXPUjYHOdIHzm1SoATj t0fM0/qUC0B2qgbrWIYm9Y8u8vwq3XYWgf4DKhysyZnHEAOS180ZrexQiF87b+nT1iMqS7 c4c5jRvYmNoLPBRpeZE/2YwJDIBDAtNCnZbRonv2oy9SgMAJhL5D6uVFzu62GNCoyBFmOW 1xOcme4oWiXzRNXleYUNLo4Ssco0tirAaVqz0gJt6irgo0sggKhxlxSsIhCZD+3m7C6H87 fw/XdJEFZjArbr18HoakdvYyEQwDObgPcKv9ybd9EHP9RO9pQ2dp8i+F1ziOSQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=tCnMV0uW; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Spam-Score: -1.33 Authentication-Results: aspmx1.migadu.com; dkim=fail ("headers rsa verify failed") header.d=gmail.com header.s=20161025 header.b=tCnMV0uW; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of bug-guix-bounces@gnu.org designates 209.51.188.17 as permitted sender) smtp.mailfrom=bug-guix-bounces@gnu.org X-Migadu-Queue-Id: 4725C1194C X-Spam-Score: -1.33 X-Migadu-Scanner: scn0.migadu.com X-TUID: RKcGFsB423Nq Hi, Bj=C3=B6rn H=C3=B6fling writes: > On Sun, 4 Nov 2018 09:52:44 +0000 > Gnu R=C3=B6oty wrote: > >> HI from 2 days I build the installation of guixSD to >> berlin.guixsd.org and nss-3.36.6 cant build. > > This was also reported on guix-help by Brian Woodcox. > > Here is some analysis I reported to that thread: > > This package does not build reproducibly. At least in the long term: > There are tests that check certificates on temporal validity and that > depends on the system time. > > I can reproduce your result with the 3.39 version. It looks like one > certificate is expired. All 6 failing tests look about like this one: > > > s -d AllDB -pp - PASSED > chains.sh: Verifying certificate(s) PayPalEE.cert with flags -d AllDB -p= p=20=20=20=20=20=20 > -o OID.2.16.840.1.114412.1.1=20 > vfychain -d AllDB -pp -vv -o OID.2.16.840.1.114412.1.1 /tmp/guix-bu= ild-nss > -3.39.drv-0/nss-3.39/nss/tests/libpkix/certs/PayPalEE.cert=20 > Chain is bad! > PROBLEM WITH THE CERT CHAIN: > CERT 0. PayPalEE : > ERROR -8181: Peer's Certificate has expired. > Returned value is 1, expected result is pass > chains.sh: #1555: RealCerts: Verifying certificate(s) PayPalEE.cert > with flags -d AllDB -pp -o OID.2.16.840.1.114412.1.1 - FAILED > > > I don't know how to check the expiration date of PayPalEE.cert. > > It looks like upstream has not yet worked on it, as the file was lastly > modified two years ago: > > https://hg.mozilla.org/projects/nss/log/tip/tests/libpkix/certs/PayPalEE.= cert > > Cmp also this bug that demands non-expiration certificates: > > https://bugzilla.mozilla.org/show_bug.cgi?id=3D1330010 > > Building 3.40 does not work with just updating version/hashsum. > > A quick solution would be to build nss from a Guix git-checkout and > disable tests. But it has many dependencies, so you more or less rebuild = the world. > > > Bj=C3=B6rn Since at least Thu Apr 4 15:14:57 2019 +0200, the test dealing with the problematic PayPalEE.cert certificate is now done after faking the time to a date around the release date with the 'faketime' utility. As nss builds fine currently, I'm marking this bug as done. Thanks for the report! Maxim